HACKER Q&A
📣 StartupTree

Should I delete passwords/email addresses for inactive users?


I run a website with circa 100,000 users. Most have not logged-in for over a year.

For security, should I delete the password and email address of inactive accounts, in case I get hacked? I want to keep the account usernames and the content they have created.

If yes, is a year a reasonable cutoff date? Is there best-practice guidelines regarding this?

  👤 lucb1e Accepted Answer ✓
Interesting idea. Data hygiene is refreshing, I like the change from the "collect everything" attitude. (My company also deletes old data from b2b customers to avoid leaking it in case of a breach - we're an IT security firm.) Still, it's not a common practice yet and it's hard to accurately judge the odds that any of the protections will ever pay off. But kudos to anyone who does it! Even as a security consultant, this is not something I regularly get to think or advise about, so I don't have any standard or well thought out answer. I'll just share some thoughts :)

Users may be annoyed at having to reset the password or create a new account (if you remove their email address). Depending on the type of business (porn site vs random forum), this may not be worth it or you might want to vary the amount of time (shorter for a sensitive website than for a random forum).

Against credential stuffing, it would be helpful to look at the last login date and require email confirmation after they didn't login for ?6? I months and/or if there have been an unusually high number of invalid logins on the platform in the past 48 hours.

Against data being stolen from your database, strong hashes are really key. You could apply ten times the cost factor (assuming a linear cost factor; for bcrypt this would be +3 or so) for users that didn't login in the past few months. They'll have to wait a second (you could even show a loading screen if you apply some serious hashing) upon relogin but it can be fast again after that (if you store the quicker hash after a new login). Removing the password is even better, but the annoyance factor is probably weighed in for your business case. Maybe after a few years, this would be worth it (for an average, not high-security, website).

If the email address is the username, you could also hash the email address (with a slow hash, just like the password, though you can't salt it for indexing reasons), since the user enters the plaintext on login anyway. This way, an attacker has a really hard time recovering it if they don't already have it (in which case it probably doesn't matter much anyway). I guess this doesn't work for mailing lists, but those could be kept on separate systems.

The parameters (after how long you apply which protection) additionally depend on how commonly users return after not logging in for a while. A shop might have a return customer after a year for infrequent / niche purchases, but a random blog probably sees many more completely abandoned accounts.

Hope this helps! And kudos for giving this some thought :)